Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting

Copyright © 2015 ForgeRock, all rights reserved. 1
Extend The Power of
The ForgeRock Identity Platform
Through Scripting
Javed Shah, Senior Sales Engineer
Anders Askåsen, Senior Technical Product Manager
October 27th, 2015

Fastest-growing Open Source Identity
Security Software company in the world
Our Investors: Our Origins:
ForgeRock
• Founded 2010 with high double digit growth every year
since inception
• Over 300 full time employees
• Over 400 customers
• Active in over 30 countries
• Locations: San Francisco, Vancouver (US), Bristol
(UK), London (UK), Grenoble (F), Oslo, Singapore,
Düsseldorf (D)
Award winning platform driving
innovation worldwide
• Gold winner of the CEO World awards 2014
• Silver Winner in the 6th Annual Golden
Bridge Award 2014
• Silver winner for the Fastest-Growing Company of the
Year in 2014
• Best in Biz Awards 2014

Extensible Software
“As companies get serious about digital transformation,
we see investments shifting toward extensible software platforms
used to build and manage
a differentiated customer experience.”
Source (March 2015):
http://blogs.forrester.com/michael_yamnitsky/15-03-31-modern_software_platforms_are_in_hypergrowth

The Platform

The ForgeRock Identity Platform
(Identity Management) (Access Management)
(Directory Services) (Identity Gateway)

Unified Platform
Web Services
Security
Session
Management
Synchronization Auditing
LDAPv3 REST/JSON
Replication Access Control
Schema
Management
Caching
Auditing
Monitoring
Groups
Password Policy
Active
Directory Synch
Reporting
Authentication Authorization Provisioning
Password
Management
Authentication OpenID Connect
Federation Entitlements Workflow Engine Reconciliation Password Replay OAuth2
Adaptive Risk
Single
Sign-on
Registration Role Provisioning
Message
Transformation
SAML2
Throttling Scripting
CommonRESTAPI
CommonUserInterface
Single Integrated, Open Platform

Deployment & Config

Deployment & Config
#!/bin/sh
URL="http://openam.example.com:8080”
AM="${URL}/openam”
AUTHN="${AM}/identity/authenticate”
TOK=`curl -s -k --request POST --data "username=amadmin&password=cangetinam" $AUTHN | cut -f2 -d=`
echo "=> OpenAM Token: ${TOK}" ; echo ""
# --data @body.json

Deployment & Config
curl --request POST --header "iplanetDirectoryPro: ${TOK}” --header "Content-Type: application/json” --data
'{"client_id":["mobile"],
"realm":["/"],
"userpassword":["password"],
"com.forgerock.openam.oauth2provider.clientType":["Confidential"],
"com.forgerock.openam.oauth2provider.redirectionURIs":
["'"${URL}/oauth2/oauth2.htm"'","'"${URL}/oIDc/openidc.htm"'"],
"com.forgerock.openam.oauth2provider.scopes":["cn|Name","mail|Email","openid","profile"],
"com.forgerock.openam.oauth2provider.defaultScopes":["cn"],
"com.forgerock.openam.oauth2provider.responseTypes":["code","token","id_token","code token","token id_token","code id_token","code token
id_token"],
"com.forgerock.openam.oauth2provider.idTokenSignedResponseAlg":["HS256"],
"com.forgerock.openam.oauth2provider.name":["Test Client"],
"com.forgerock.openam.oauth2provider.description":["OIDC 1.0 Client"]
}'
${AM}/frrest/oauth2/client/?_action=create

Scripting in OpenIDM

Scripted Connectors
•Scripted Groovy Connector Implementations
–Scripted SQL
–Scripted REST
–Scripted CREST
–Scripted Azure
•Samples provided!
•Microsoft Integration – The Scripted PowerShell Connector
•Samples provided illustrating Active Directory

OpenIDM Services
openidm.create("managed/user", bjensen, map);
openidm.patch("managed/user/" + user._id, null,
[{"operation" : "replace", "field" : "/password", "value":
"Passw0rd"}]);
openidm.read("managed/user/"+userId);
openidm.update('managed/user/' + source._id, null,
user_read);
openidm.delete('managed/user/'+ user._id, user._rev);
openidm.query("managed/user", { "_queryFilter": "/userName
sw "user.1""}, ["userName", "_id"]);
openidm.action('sync', 'performAction', content, params);

OpenIDM Services
openidm.encrypt(value, cipher, alias);
openidm.decrypt(value);
openidm.isEncrypted(object);
openidm.hash(value, algorithm);
logger.info(string message, object... params);
logger.debug(string message, object... params);
logger.error(string message, object... params);
logger.trace(string message, object... params);
logger.warn(string message, object... params);

Where can scripts be triggered?
•Scripts in Mappings (conf/sync.json)
•Triggered by situationon (onCreate, onUpdate, onDelete, onLink, onUnlink)
•Object filter (validSource, validTarget)
•Correlating objects (correlationQuery, correlationScript)
•Any reconciliation
•Scripts inside properties
•Scripts called in the managed object configuration
(conf/managed.json) file
•onCreate, onRead, onUpdate, onDelete, onValidate, onRetrieve, onStore,
onSync, postCreate, postUpdate, and postDelete

Where can scripts be triggered?
• Scripts called in the router configuration (conf/router.json)
fileonRequest, onResponse, onFailure
• Scripted Connectors
Scripted SQL
Scripted Groovy
Scripted REST/CREST
Scripted SAP
Scripted SSH
Scripted PowerShell

Scripting in OpenAM
http://openam.forgerock.org/doc/bootstrap/dev-guide/index.html#chap-scripting
Draft documentation

Overview
• Script Design and Workflow in OpenAM
• Device Registration and Authentication
–A more standard way of using the Scripting Framework
–Demo
• The Scripting API
–Useful in geo fencing using reverse geocode lookup
–Useful for policy or role-based authentication
–Demo

Scripting Design –
The Client Side Script
•Authentication modules can use Client Side scripts and Server Side
scripts (JavaScript or Groovy)
•The use of a Client Side script is optional
•Used as a data collection mechanism
– Geo location / Fonts / Screen resolution / Timezone
– Browser Plugins
•Returns collected data in: clientScriptOutputData
–A string you could .split() to pull all client-side data

The Client Side Script

Scripting Design –
The Server Side Script
•Handles Authentication
•Has access to:
–clientScriptOutputData (sent by the client script)
–Scripting API
•Must set the authentication state to
–SUCCESS or
–FAILED

The Server Side Script

Device Registration and Authentication in
OpenAM

Device Authentication

Device Id (Match)
•Predefined scripts in OpenAM:
–Client side script
–Server side script
•Scripts are referenced inside Module instances
•Depends on other modules:
–For user identification (Data Store)
–Second factor on failure (HOTP)
–Device Id Save!

Device Id (Match)
•Checks different criteria using Client Side Script
–User agents
–Installed fonts
–Installed plugins
–resolution/color depth associated with a display
–time zone, geo location
•Adds penalty points if one criteria is missed
•Checks sum of penalty points against a threshold

Device Id (Save)
•Prompts the user before saving the device profile
–Can be configured to auto save
•Will save the device profiles in the user’s profile
– Number of profiles stored can be changed from a default 5
•Authentication chain is usually configured to not reach this module,
if the device was recognized by the Device Id (Match) module
–Device Id Match configured as Sufficient ensures processing stops if a
profile match was found

Demo – Device Fingerprinting

Scripted Authentication in OpenAM

Scripted Authentication

HTTP Commons Framework
(coming in OpenAM 13)
•org.forgerock.http.protocol.*
–Request / Cookie / Entity / Header / Headers / Response
•org.forgerock.util.promise.*
–Promises
–A Promise represents the result of an asynchronous task.
•groovy.json.JsonSlurper
–JSON parser used in the scripts
•API Documentation
–http://commons.forgerock.org/bom/apidocs/index.html

Scripting API
•Make REST API calls from the Server Side Script!
–Use the new HTTP Commons Framework to make a new Request
–httpClient.send(Request), returns a Promise
–Promise.get(), returns a Response
–Parse the Response using JsonSlurper!
•Accessing Authentication State
–OpenAM passes to Server Side script:
•authState, sharedState (contains password also)
•username

Scripting API
•Logging
–logger
• error() / message() / warning()
•Accessing Profile Data
–idRepository
• getAttribute / setAttribute / addAttribute
•Access the original login request using requestData object
–getHeader(name) / getHeaders(name)
–getParameter(name) / getParameters(name)

Policy Configuration for Demo

Scripting Demo
Acquire ssoToken using REST
Evaluate policy for the resource “authn/self” and “authn/view”

Scripting Demo
Policy decision
Check Policy decision and permit if requested actions ALLOWED
Logout the service account or the user

Demo – Scripted Authentication

Other Possibilities
•Policy condition scripting
–attach a script as a policy condition!
•OIDC Claims data
–Scripts that gather and populate the claims in a request when issuing
an ID token or making a request to the userinfo endpoint.

IDENTITY SUMMIT SERIES 2015: EUROPE
5 November
Amsterdam
10 November
Düsseldorf
Visit summits.forgerock.com

Thank You!
Questions?

Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting

Similar to Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting (20)

More from ForgeRock

More from ForgeRock (20)

Recently uploaded

Recently uploaded (20)

Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting